Privacy Policy

This Privacy Policy explains how Herrise LLC (d/b/a Merchie) ("Merchie", "we", "us", or "our") collects, uses, and shares information when you visit merchie.app, use the Merchie merchant dashboard at dashboard.merchie.app, or interact with us in connection with the Merchie platform (the "Website"). By using the Website, you agree to this Privacy Policy.

This Privacy Policy covers two audiences:

1. Website visitors and prospects — people browsing merchie.app, requesting a demo, signing up for updates, or contacting us.
2. Merchants — local businesses that sign up to use the Merchie platform to operate a branded loyalty app for their own customers.

A separate Customer Privacy Policy, at merchie.app/legal/privacy, governs end-customer use of merchant-branded apps. If you are using a loyalty app branded by a local business, that policy applies to you, not this one.

1. Who We Are

Merchie is a software platform operated by Herrise LLC, a Delaware limited liability company doing business as "Merchie". Merchie provides white-labeled loyalty and rewards mobile apps to local businesses such as med spas, salons, aesthetic clinics, and similar service providers.

Privacy contact: herrisellc@gmail.com.

2. Information We Collect

2.1 From Website Visitors

• Contact information you provide via demo requests, contact forms, or newsletter signups: name, email, phone, business name, business type.
• Browser and device information automatically collected when you visit the Website: IP address, browser type and version, operating system, referring URL, pages viewed, time on page, and device type.
• Cookies and similar technologies described in Section 4.

2.2 From Merchants

When you create a Merchie merchant account and use the dashboard, we collect:

• Account information: legal business name, doing-business-as name, business address, owner/operator name, email, phone, and password (stored as a hash).
• Configuration data: branding (logos, colors, app name), business hours, services, pricing, rewards rules, gift card configuration, staff list, and similar operating data you enter into the dashboard.
• Payments and payout information: processed by Stripe (Stripe Connect Standard or Express). Stripe collects your business tax identification, banking details, and identity-verification data directly; Merchie does not see or store your full bank account number, tax ID, or government-issued identification.
• Subscription and billing information: plan, billing cycle, invoices, and payment status. Subscription payments are processed by Stripe.
• Communications: support tickets, emails, and other correspondence with our team.
• Usage information: dashboard pages visited, features used, configuration changes, and similar telemetry.
• Mobile-app build artifacts: when you launch an app on the Merchie platform, we generate and store the iOS and Android build configuration, certificates, and metadata associated with your app.

2.3 Customer Data Processed on Your Behalf

When Merchie operates your customer-facing app, we process data about your end customers (their names, emails, phones, transactions, photos, etc.) on your behalf. For that data:

• You are the data controller.
• Merchie is the data processor.
• The processing is governed by these Terms, the Customer Privacy Policy at merchie.app/legal/privacy, and any separate Data Processing Addendum (DPA) you execute with us.

You remain responsible for your customers' privacy rights and for complying with the laws that apply to your business (for example, state aesthetic and medical regulations, sales tax, gift card laws).

3. How We Use This Information

• Provide, operate, and improve the Website and the Merchie platform.
• Create and manage your Merchie merchant account.
• Configure and publish your branded mobile app(s) to the Apple App Store and Google Play.
• Process subscription payments and, through Stripe Connect, enable payouts from your customer transactions.
• Generate Merchant-side back-office tools such as weekly business reports, AI-assisted setup, and translation of in-app text. These tools may use OpenAI, Anthropic, and Browserless. We send only your business information (such as your public website content, configuration data, and aggregated non-identifying metrics) to these AI services — never the personal data of your end customers.
• Respond to support requests and communicate with you about the platform.
• Send transactional emails (account verification, billing receipts, security notices) and, where you have opted in, marketing emails about new features and offers.
• Analyze how the Website is used and improve performance, security, and reliability.
• Detect, prevent, and respond to fraud, abuse, and security incidents.
• Comply with legal obligations, enforce our agreements, and protect our rights.

4. Cookies and Similar Technologies

We use a small set of cookies and similar technologies on the Website:

We do not use advertising cookies, cross-site tracking pixels, or third-party analytics that profile you across the internet. You can clear cookies and disable them in your browser settings; doing so may sign you out and reset preferences.

5. How We Share Information

We share information only in the following circumstances:

• With sub-processors as described in Section 15.
• With your authorized users — staff members and agency operators you have invited into your Merchie account.
• With professional advisors (lawyers, accountants, auditors) bound by confidentiality.
• In connection with a business transfer — a merger, acquisition, financing, reorganization, or sale of all or a portion of our assets. We will provide notice if your information would become subject to a different privacy policy.
• For legal reasons when we believe disclosure is required to comply with a legal obligation, court order, or government request; to protect rights, property, or safety; to enforce our agreements; or to investigate fraud.
• With your consent for any other purpose.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising.

6. Data Retention

• Active accounts: retained as long as your Merchie account is active.
• After cancellation: active personal identifiers are removed within 30 days, except for records we must retain by law.
• Billing and transaction records: retained up to 7 years for tax, accounting, and audit obligations.
• Communications: retained up to 3 years for dispute resolution and audit.
• Authentication logs: retained up to 1 year for security investigations.
• Encrypted backups: overwritten in the normal course of business within 90 days.
• De-identified or aggregated data: may be retained indefinitely.

7. International Transfers

Our infrastructure is operated in the United States. If you access the Website or use the platform from outside the United States, your information will be transferred to and processed in the United States. When we transfer personal data from the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, the UK International Data Transfer Agreement, or other lawful transfer mechanisms.

8. Security

We use commercially reasonable safeguards designed to protect your information, including encryption in transit (HTTPS/TLS), encryption at rest, hashed passwords, role-based access controls, rate limiting, and routine security monitoring. We require sub-processors to maintain comparable safeguards. No system is 100% secure; we cannot guarantee absolute security.

If we discover a data breach affecting your personal information, we will notify you and applicable regulators as required by law — generally within 72 hours of confirming the breach for individuals in the EEA/UK and without unreasonable delay in the United States.

9. Your Rights

Depending on where you live, you may have rights including access, correction, deletion, portability, objection, restriction, withdrawal of consent, and the right to lodge a complaint with a supervisory authority. To exercise any right, email herrisellc@gmail.com from the address associated with your account. We will verify your identity and respond within the timeframe required by applicable law.

9.1 California (CCPA / CPRA)

We do not "sell" or "share" personal information for cross-context behavioral advertising. California residents have the rights described above. We do not collect "sensitive personal information" requiring a right-to-limit. You may designate an authorized agent to make a request on your behalf with proof of authorization.

9.2 Other U.S. State Privacy Laws

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other U.S. states with comprehensive privacy laws have substantially similar rights. If we deny your request, you may appeal by replying to our response email; appeals are reviewed within 45 days.

9.3 EEA, UK, and Switzerland (GDPR)

We process personal data on the following GDPR / UK GDPR legal bases: (a) contract performance (Art. 6(1)(b)), (b) legal obligation (Art. 6(1)(c)), (c) legitimate interests (Art. 6(1)(f)), and (d) consent (Art. 6(1)(a)). You may lodge a complaint with your local supervisory authority.

10. How We Treat Customer Data You Bring Us

For data about your end customers — the people who download your loyalty app — Merchie acts as your data processor under your direction and the separate Customer Privacy Policy. We do not use that data to train AI models, build advertising profiles, contact your customers outside the scope of your instructions, or sell to third parties. If you wish to formalize this relationship with a Data Processing Addendum (DPA), email herrisellc@gmail.com.

11. Children's Privacy

The Website is intended for use by businesses and adults, not children. We do not knowingly collect personal information from children under 13.

12. Links to Other Sites

The Website may contain links to third-party websites or services we do not operate. We are not responsible for the content, privacy policies, or practices of any third-party site or service.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be communicated through the Website, by email, or by a prominent notice. Continued use of the Website after the effective date constitutes acceptance.

14. Contact Us

For questions about this Privacy Policy or our privacy practices:

• Herrise LLC (d/b/a Merchie)
• Email: herrisellc@gmail.com
• State of formation: Delaware, United States

15. Sub-Processors and Third-Party Services

We share limited information with the following sub-processors. Each processes data only on our behalf under contractual obligations of confidentiality and security.

A current list of sub-processors is available on request. We do not share your personal information with advertisers, data brokers, or AI-model training datasets.